Security: set-value is not up to date

[nboisteault]

Do you want to request a feature, report a bug or ask a question? I have a dependabot alert :

CVE-2021-23440
high severity
Vulnerable versions: < 4.0.1
Patched version: 4.0.1
This affects the package set-value before 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

The latest possible version that can be installed is 2.0.1 because of the following conflicting dependencies:

svg-sprite-loader@6.0.9 requires set-value@^2.0.0 via a transitive dependency on cache-base@1.0.1
svg-sprite-loader@6.0.9 requires set-value@^2.0.1 via a transitive dependency on union-value@1.0.1
The earliest fixed version is 4.0.1.

Please tell us about your environment:

• svg-sprite-loader version: 6.0.9

[justojo]

Same here. Am getting 5 high severity due to set-value not being up to date.

`-- svg-sprite-loader@6.0.10 -- svg-baker@1.7.0 -- micromatch@3.1.0 -- snapdragon@0.8.2 -- base@0.11.2 -- cache-base@1.0.1 +-- set-value@2.0.1 -- union-value@1.0.1 -- set-value@2.0.1 deduped`